Krebs on Security

In-depth security news and investigation

How to Buy Friends and Deceive People

Want more friends and followers? Emerging enterprises will create them for you — for a price. An abundance of low-cost, freelance labor online is posing huge challenges for Internet companies trying to combat the growing abuse of their services, and has created a virtual testbed for emerging industries built to assist a range of cybercrime activities, new research shows.

Free services like Craigslist, Facebook, Gmail and Twitter have long sought to deter scammers and spammers by deploying technical countermeasures designed to prevent automated activity, such as the use of botnets to create new accounts en masse. These defenses typically require users to perform tasks that are difficult to automate, at least in theory, such as requiring that new accounts be verified by phone before activation.

But researchers from the University of California, San Diego found that these fraud controls increasingly are being defeated by freelance work arrangements: buyers “crowdsource” work by posting jobs they need done, and globally distributed workers bid on projects that they are willing to take on.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,'” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.

Adding to the available services, there is now steep competition among services that outfox phone- verified accounts (PVAs). Web services like Craigslist, Gmail and financial institutions sometimes will place an automated call to a new account creator, and read a numeric code to them over the phone, and require the new user to enter that number into a website.

The UCSD team noticed that demand for phone-verified Craigslist accounts increased rapidly in early 2008, when Craigslist introduced phone verification for the erotic services section of the site. The researchers observed that the price the freelance market will support for creating PVAs can tell you a lot about the value of phone verification as a security mechanism. “For Craigslist, PVAs have made account abuse extremely expensive. In contrast, retail services sell Gmail PVAs for around 25 cents, a 10-20 fold price difference compared to Craigslist,” they wrote.

This same dynamic is now driving competition among services that offer the ability to generate large numbers of fake Twitter “followers” and Facebook “friends;” such services are popular among spammers and scammers who use them to make their pages appear more legitimate and trustworthy.

As demand for these new human services continues to increase, entrepreneurs have stepped in to aggregate the workforce. Savage said overall demand for social networking links has skyrocketed since the early part of 2010, suggesting that spammers have only recently realized the potential for monetizing social links.

“Whether it’s to buy friends for a social network or to do phone verification of new accounts, over time if a particular business new business model makes sense, it gets moved out of the freelancer market and into its own stand-alone service,” Savage said.

Need a whole mess of Twitter followers a.s.a.p? Places like the twitterfollowershop.com and buytwitterfollowers.com charge between $17 and $24.95 per 1,000 followers. I called the phone number found in the WHOIS registration records for twitterfollowershop.com, and a guy named “Pat” answered. He told me that the service is powered by manual labor in Asia.

“We have people overseas who are manually following users,” he said.

Want phone verified accounts at Facebook, Craigslist, YouTube and Twitter? Buypvanow.com, verifiedaccountmonster.com and plenty of others will sell verified accounts by the hundreds.

The UCSD paper describing the research in more detail is available here (PDF).

This entry was posted on Friday, July 15th, 2011 at 1:13 am and is filed under A Little Sunshine, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Even verified, trusted accounts can become untrustworthy. 30% of spam received “from” Hotmail is from actual accounts that have been have been stolen using malware and phishing or created en-masse as described in the post.

You can see the actual data in the Commtouch Internet Threats Report for July, which looks at the % of spam sent from spammer and stolen/compromised accounts at Gmail and Hotmail.

Fascinating. If labor can’t be automated, then someone can be hired to manually automate. Robots and programs do work, but people will still do robotic work… the world really is one giant labor pool now…